TSpace Research Repository tspace.library.utoronto.ca 


Lawful Ilegality: What Snowden Has Taught 
us About the Legal Infrastructure of the 
Surveillance State 


Lisa M. Austin 


Version Post-print/accepted manuscript 


Citation Austin, Lisa M., Lawful Illegality: What Snowden Has Taught Us About 
(published version) the Legal Infrastructure of the Surveillance State (April 2014). 
http://dx.doi.org/10.2139/ssrn.2524653 


How to cite TSpace items 


Always cite the published version, so the author(s) will receive recognition through services that track 
citation counts, e.g. Scopus. If you need to cite the page number of the author manuscript from TSpace 
because you cannot access the published version, then cite the TSpace version in addition to the published 

version using the permanent URI (handle) found on the record page. 


This article was made openly accessible by U of T Faculty. 
Please tell us how this access benefits you. Your story matters. 


& 


| UNIVERSITY OF TORONTO 
LIBRARIES 


Lawful Illegality: What Snowden Has Taught us About the Legal Infrastructure of the 
Surveillance State 


Lisa M. Austin 


University of Toronto Faculty of Law 


(a) Introduction 


The Snowden revelations have revealed to us, with impressive documentation, the technical 
infrastructure of contemporary state surveillance. What is less obvious, but of great importance, 
is the revelation of the legal infrastructure of this surveillance. In this essay I argue that this 
infrastructure is best understood as one of “lawful illegality.” 

One aspect of the lawful illegality of surveillance is the conflicting reactions of citizens and 
authorities when surveillance programs are revealed. Members of the public, upon learning what 
some national security authority is doing, protest that it must be illegal. The national security 
authority, and government, claim that everything they do is lawful. The label “lawful illegality” 
captures this conflict between the perspective of the state and the perspective of ordinary 
citizens. 

It is likely the case that spy craft has always operated within a space of conflicted legality. 
For example, state security agencies might have lawful authority under their domestic law to 
engage in actions abroad that might breach the domestic laws of other nations or international 


legal norms.' But what has become so clear in the wake of the Snowden revelations is the 


‘IT would like to thank David Dyzenhaus and Kent Roach for comments on portions of an 
earlier draft. I would also like to thank Kent Roach and Hamish Stewart for ongoing 
discussions this year regarding the Snowden revelations. All errors are, of course, mine. 
' For a good discussion of extraterritorial intelligence gathering, see Craig Forcese, “Spies 
Without Border: International Law and Intelligence Collection” (2011) 5 Journal of National 
Security Law & Policy 179. 


dramatically changed landscape of state surveillance. Ideas of what is included in “national 
security” have broadened, and targets now include ordinary individuals and not simply foreign 
states and foreign agents. The line between criminal offences and national security offences has 
blurred, both domestically and internationally. Effective state action against terrorism requires 
cooperation between national security authorities, law enforcement authorities, and border 
officials, both within a state and across borders, as well as sophisticated technologies that make 
use of a global and interconnected communications infrastructure.” This changed landscape 
reveals a deeper tension than simply conflicting perspectives of legality. My claim in this paper 
is that there is a serious rule of law problem. 

The rule of law requires the commitment that state action itself be subject to the law. In this 
paper I claim that the issues of secrecy, complexity, and jurisdiction work together to create 
“lawful” paths for state surveillance for national security purposes that are nevertheless in deep 
tension with a general commitment that this surveillance be subject to the oversight and 
accountability demanded by the rule of law. Throughout, I illustrate these issues with a set of 
examples largely taken from the Snowden revelations, with a Canadian perspective. These 
examples are not meant to provide an exhaustive overview of the issues but to highlight the 
importance of attending to these larger questions of legality if we are going to move forward and 


design a better system of oversight. 


(b) Illegality and Emergencies 


* This was very clear from the remarks of Stephen Rigby, National Security Advisor to the Prime 
Minister and PCO, Michel Coulombe, Director of CSIS, and John Forster, Chief of CSE, at the 
hearing of the Senate Committee on National Security and Defence, February 3, 2014. See 
Proceedings of the Standing Senate Committee on National Security and Defence, online: 
http://www.parl.gc.ca/Content/SEN/Committee/412/secd/02ev-51162- 
e.htm?Language=E&Parl=41&Ses=2&comm_id=76). 


In the aftermath of 9/11, there was a significant rule-of-law debate regarding the role of law 
in fettering executive discretion in times of emergency. This framework of “emergencies” 
remains important in public discourse concerning surveillance. For example, United States 
Supreme Court Justice Scalia recently commented upon the possibility that the Supreme Court 
would ultimately decide upon the constitutionality of some of the American surveillance 
programs.° The legal question, he said, is about “balancing the emergency against the intrusion 
[on the individual]”. He also suggested that the court was the “least qualified” institution to 
decide this issue. This lack of expertise, one can infer, concerns the court’s qualification to judge 
the demands of emergencies, not the demands of the Fourth Amendment; whatever judgment 
emergencies require, the executive and not the courts are the experts. 

As Dyzenhaus has argued, some of the post 9/11 debate regarding emergencies and the rule 
of law concerns the different responses one might take to the existence of either legal black holes 
or legal grey holes. A black hole is where the legislature seeks to carve out a space of no-law; a 
grey hole is “one in which there is the facade or form of the rule of law rather than any 
substantive protections.” The space created by such holes is a space for executive discretion and 
the need for such space derives from the perceived exceptional nature of national emergencies, 


where it is difficult to anticipate in advance what that emergency will be and how one should 


* Lawrence Hurley, “Supreme Court Will Likely Rule On NSA Programs, Antonin Scalia and 
Ruth Bader Ginsburg Suggest” Reuters (17 April 2014), online: HuffPost 

http://www. huffingtonpost.com/2014/04/17/supreme-court-nsa_n_5170559.html . 

* David Dyzenhaus, The Constitution of Law: Legality in a Time of Emergency, (Cambridge: 
Cambridge Universtity Press, 2006) at 3. 


respond.” 

This framework of emergencies, with its themes of uncertainty and unforseeability, is both 
helpful and unhelpful when applied to state surveillance. It is helpful in that the exceptional 
nature of terrorism has deeply influenced contemporary methods of state surveillance. One 
aspect of the exceptional nature of terrorism is indeed its unpredictability. It is difficult to 
anticipate who will engage in acts of terrorism: agents of foreign powers, members of existing 
and known terrorist organizations, affiliates abroad, or homegrown extremists? It is difficult to 
anticipate where an attack will take place, whether many civilians will be at risk, the potential 
scale of an attack, and so on. Another aspect of the exceptional nature of terrorism is the type of 
risk it is seen to be — not just a risk of potentially catastrophic harm but a deep political threat to 
the state. For example, the US considers itself to be at “war” against al Queda.° The 
extraordinary nature of the threat of terrorism also underpins the US response of seeking to 
prevent future terrorist attacks, with a “never again” mentality.’ 

However, focusing on the exceptional nature of emergencies can detract us from the most 
salient features of the state surveillance methods Snowden has revealed to the world: they are in 
fact a rational, systematic, planned response to the perceived need to prevent terrorist attacks. In 
other words, the framework of emergencies concerns whether what is needed is a discretionary 


space for executive authority — either legal black holes or legal grey holes — to nimbly respond 


> Ibid. See also Adrian Vermuele, “Our Schmittian Administrative Law” (2009) 122 Harvard 
Law Review 1095; Evan J Criddle, “Mending Holes in the Rule of (Administrative) Law” (2010) 
104 Northwestern University Law Review 309. 

° President Barak Obama, “Remarks by the President at the National Defence University” (23 
May 2013) online: The White House http://www. whitehouse.gov/the-press- 
office/2013/05/23/remarks-president-national-defense-university. 

’ John Ashcroft, Never Again: Securing America and Restoring Justice (Center Street, 2008); 
Julietter Kayyem, “Never Say ‘Never Again’: Out foolish obsession with stopping the next 
attack” Foreign Policy (11 September 2013). 


to exceptional circumstances that cannot be foreseen in advance. But state surveillance premised 
on the idea of collecting the “haystack” to find the “needle” is not about preserving discretion at 
all. It is about applying rational analytic methods to the problem of preventing certain kinds of 
threats that have been identified at least at some level of generality (e.g. terrorist threat).* The 
proper frame of the rule of law challenge is not about the question of whether executive 
discretionary authority in relation to emergencies can and should be constrained by the reason of 
the law; instead, it is about whether mass surveillance as a mode of rational social ordering is in 
conflict with the deepest commitments of law as a mode of rational social ordering. 

When we talk about the legality of surveillance, therefore, we need to focus less on the 
spaces of discretion and more on the systematic features of surveillance that put strain on our 
traditional understandings of the rule of law. In particular, I want to flag three issues. The first is 
the issue of secrecy and the degree to which it is demanded by the national security context. My 
claim is that it creates pressure for unilateral, rather than objective and public, interpretations of 
the law. The second is the issue of legal complexity, especially as it relates to law reform 
initiatives. Where there is an increased blurring between regular law enforcement, border 
control, and terrorism investigations, as well as increasingly complex relationships between 
private sector communications intermediaries and the state, gaining a clear public understanding 
of proposed changes to lawful access laws or the full significance of legal cases before the 
courts, is extremely difficult. The third is the issue of jurisdiction and the extent to which 
national boundaries and questions of status (like citizenship) affect the lawfulness of 


surveillance. In particular, I argue that instead of providing us with the tools for accountability, 


* As Roach has argued, this debate is not about emergencies per se so much as the rights of 
terrorist suspects. See Kent Roach, “Ordinary laws for emergencies and democratic derogations 
from rights” in Victor V. Ramraj, ed., Emergencies and the Limits of Legality (Cambridge: 
Cambridge University Press, 2012) 229. 


status and jurisdiction allow for the leveraging of national boundaries to create an international 


surveillance regime with questionable accountability. 


(c) Secrecy and Unilateralism 


One of the most basic understandings of the rule of law is that government itself is subject to 
law. As already noted, one of the remarkable things about the Snowden revelations is that the 
response of both the intelligence agencies and the governments involved has largely been to 
claim that they are acting in a lawful manner. What has become clear, however, is that these 
claims of lawfulness are often unilateral in the sense that they are either claims of a one-sided 
interpretation of the law or claims of deference to that one-sided interpretation within an 
accountability framework that is structurally biased. Secrecy is a key ingredient to this 
unilateralism. However, such unilateralism lies in tension with our deeper commitments to 
legality, which demands that law reflect a “public” perspective and not that of an entity who is 
supposed to be regulated by that law. 

In Canada, the Communications Security Establishment of Canada’s claims of the lawfulness 
of its metadata program, for example, turn out largely to be a claim that there is a plausible legal 
interpretation that shows CSEC’s activities to be both within its statutory authority and 
consistent with the Canadian Charter. The problem is that the plausible legal interpretation is 
one provided by the government itself and its conclusion of lawfulness is far from obvious to 
outside observer. As we have seen from the public controversy surrounding the disclosures 
regarding CSEC’s alleged collection of communications metadata at public wifi spots, many 


well-informed commentators express incredulity regarding how such activities are lawful under 


either the National Defence Act or the Canadian Charter.’ 

CSEC does not make its legal interpretation public, so its claims of lawfulness rest not just 
on its own legal interpretation but, importantly, on a secret interpretation. CSEC itself often 
points to the independent oversight of the CSE Commissioner as part of the accountability 
framework within which it operates.'° This suggests that the CSE Commissioner is able to 
independently assess the lawfulness of CSEC’s activities. However, we know from the Annual 
Reports of past CSE Commissioners that where there is a difference of views regarding legal 
interpretation, it is CSEC’s view that prevails. For example, in his 2005-2006 Annual Report, 
Commissioner Lamer stated: 

With respect to my review of CSE activities carried out under ministerial authorization, I 
note that I concluded on their lawfulness in light of the Department of Justice interpretation 
of the applicable legislative provisions. I have pointed out elsewhere that there are 
ambiguities int he legislation as now drafted, a view that I share with my predecessor, the 
Hon. Claude Bisson, O.C., a former Chief Justice of Quebec. Currently, two eminent 
lawyers, the Deputy Minister of Justice and my independent Legal Counsel disagree over the 
meaning of key provisions that influence the nature of the assurance that I can provide.'! 


Similar statements have been made by subsequent Commissioners. '” 


Without an accountability mechanism that allows for the government’s interpretation of 


” Greg Weston, Glenn Greenwald, Ryan Galllagher, “CSEC used airport Wi-Fi to track 
travellers: Edward Snowden documents” CBC News (30 January 2014), online: CBC 
<http://www.cbc.ca/news/politics/csec-used-airport-wi-fi-to-track-canadian-travellers-edward- 
snowden-documents-1.2517881>. 

' See, for example, the remarks of John Forster, Chief, Communications Security Establishment 
Canada (CSEC) supra note 2. 

'' Communications Security Establishment Commissioner, Annual Report 2005-2006 at 9. This 
disagreement was not about the metadata program. 

'? Communications Security Establishment Commissioner, Annual Report, 2006-2007 at 2, and 
Communications Security Establishment Commissioner, Annual Report, 2008-2009 at 2 
(Commissioner Gonthier); Communications Security Establishment Commissioner, Annual 
Report, 2012-2013 (Commissioner Décary), discussing his disappointment that the government 
has not made the legislative amendments called for as a response to this dispute (at 7-8). The 
Commissioner also noted that 92 percent of the Commissioners’ recommendations since 1997 
have been implemented (at 3). 


the law to effectively be contested as well as for a final determination by an objective body, like 
a court, then “lawfulness” turns out to simply mean a claim to operate within one’s own 
interpretation of the law. Oversight, on this model, means independent assurance that one’s 
activities conform to one’s own interpretation of the law. To be subject merely to one’s own 
interpretation of the law looks a lot like getting to be one’s own judge, and it lies in deep tension 
with the ideal of law as an objective constraint on state power. 

This unilateralism is exacerbated by several other layers of secrecy that remove a number of 
potential informal constraints that can operate to ensure balanced, rather than biased, legal 
advice. People seek legal advice because they want to do things and need to find out how to do 
them legally. There is a natural pressure, in such a context, to provide a permissive interpretation 
of the law. Many factors typically operate to provide a countervailing pressure but most of these 
depend upon the understanding of the parties involved that the actions taken pursuant to that 
legal advice will be public and can be called into question by those affected by them. If there is 
reason to think that those affected can argue that the actions taken are in fact contrary to law, 
then there is a risk of legal liability that will factor into the original advice offered. More 
generally, public scrutiny through the press and academia provide another set of informal 
constraints, albeit less direct. But state surveillance operations, both in terms of general programs 
and in terms of particular operations, are secret. If surveillance is secret, then the people likely 
affected by the surveillance are in no position to contest it, and this removes one of the informal 
constraints that can operate to provide balance in determining the lawfulness of the surveillance. 
In other words, the layers of secrecy surrounding state surveillance structurally enable one-sided 
legal advice. 


If the legal opinions establishing lawfulness are secret, if the activities at issue are secret, if 


the legal opinions are ones that even those tasked with oversight must defer to, then the 
“lawfulness” of surveillance is very one-sided indeed. The systematic effect of this on civil 
liberties should not be underestimated. David Cole has argued, for example, that post 9/11 it has 
been civil society groups that have been one of the most important guardians of constitutional 
and rule-of-law values, and not the more “formal mechanisms of checks and balances” in the 
US."* Such groups cannot perform this function when they have no way of knowing the legal 
opinions and actions of the state, apart from what they learn from whistleblowers. 

We also need to view this unilateralism in the context of what two different whistleblowers 
have told us about how the government might in different ways exert pressure for favourable 
legal interpretations. 

The first whistleblower is Edgar Schmidt, a former Justice Department lawyer who is taking 
the government to court, seeking a declaration regarding what he considers to be unlawful 
practices in relation to the Department of Justice’s review of proposed legislation and 
regulations. He argues, in his statement of claim: 

Since about 1993, with the knowledge and approval of the Deputy Minister, an 
interpretation of the statutory examination provisions has been adopted in the Department to 
the effect that what they require is the formation of an opinion as to whether any provision of 
the legislative text being examined is manifestly or certainly inconsistent with the Bill of 
Rights or the Charter and, in the case of proposed regulations, whether any provision is 
manifestly or certainly not authorized by the Act under which the regulation is made. '* 

This has yet to be tested in court. However, these allegations highlight some of the ways in 


which institutional cultures can develop in a manner that promotes, not bad faith interpretative 


practices but at least a practice of “sharp elbows”, where legal interpretation is routinely pushed 


'S David Cole, “Where Liberty Lies: Civil Society and Individual Rights After 9/11” (2012) 57 
The Wayne Law Review 1203 at 1204-5. 

'* Federal Court, Edgar Schmidt and the Attorney-General of Canada, Statement of Claim, Court 
File No. T-2225-12 at para. 13. 


as far as possible in the government’s favour.’ 

The other whistle blower is Edward Snowden. In a statement to the European Parliament, 
Snowden outlined the NSA’s role in law reform in Europe. His remarks are worth quoting at 
length: 


One of the foremost activities of the NSA's FAD, or Foreign Affairs Division, is to pressure 
or incentivize EU member states to change their laws to enable mass surveillance. Lawyers 
from the NSA, as well as the UK's GCHQ, work very hard to search for loopholes in laws 
and constitutional protections that they can use to justify indiscriminate, dragnet surveillance 
operations that were at best unwittingly authorized by lawmakers. These efforts to interpret 
new powers out of vague laws is an intentional strategy to avoid public opposition and 
lawmakers’ insistence that legal limits be respected, effects the GCHQ internally described in 
its own documents as "damaging public debate." 

In recent public memory, we have seen these FAD "legal guidance" operations occur in 
both Sweden and the Netherlands, and also faraway New Zealand. Germany was pressured to 
modify its G-10 law to appease the NSA, and it eroded the rights of German citizens under 
their constitution. Each of these countries received instruction from the NSA, sometimes 
under the guise of the US Department of Defense and other bodies, on how to degrade the 
legal protections of their countries' communications. The ultimate result of the NSA's 
guidance is that the right of ordinary citizens to be free from unwarranted interference is 
degraded, and systems of intrusive mass surveillance are being constructed in secret within 
otherwise liberal states, often without the full awareness of the public.'® 


We have no evidence so far that Canada has been subject to such pressure, but Snowden’s 
remarks highlight another cause for concern regarding secrecy and the unilateralism it enables— 
that a strategy of promoting legal interpretations enabling surveillance, rather than seeking to 
clarify the law through law reform, might be a strategy of actually avoiding public debate. The 
result is a claim of “lawfulness” that has not just lost its connection to the public point of view 


but has sought to actively sever it. 


'S Lon Fuller argues that “[a] strong commitment to the principles of legality compels a ruler to 
answer to himself, not only for his firsts, but for his elbows as well” (Lon L Fuller, The Morality 
of Law (New Haven, Yale University Press, 1969) at 159). 

'© Edward Snowden, Testimony Before the European Parliament (7 March 2014) 
http://www.europarl.europa.eu/document/activities/cont/201403/20140307ATT80674/20140307 
ATT80674EN.pdf. 


10 


(d) Complexity and Lawful Access 


In addition to secrecy, and sometimes working in conjunction with it, legal complexity 
undermines accountability. One aspect of this complexity, within Canada, is the different 
institutions that deal with national security concerns, including the RCMP, CSIS and CSEC. 
Oversight of each is handled differently, with limited ability to coordinate between oversight 
bodies even in relation to the ways in which these bodies cooperate and assist one another.'’ 
However, the complexity that I want to highlight here concerns law reform itself, given these 
interrelationships. That is, even if the state pursues public law reform rather than secret legal 
interpretations, it is often difficult to understand the full implications of legal changes. Instead of 
understanding themselves as participants in an open, transparent, and public debate, lawyers 
concerned about civil liberties need to approach proposed legislation with a “hacker” mentality, 
looking for non-obvious ways to read the legislation in order to locate the little-understood legal 
vulnerabilities the government might exploit behind its wall of secrecy and protective official 
statements. 

For example, Canada’s ongoing debates regarding lawful access reform generally focus on 
the ordinary law enforcement context and yet this reform has difficult-to-understand implications 
for surveillance in the national security context as well. 

For over a decade, the federal government has sought to pass lawful access legislation. One 
of the more recent failed iterations, Bill C-30, would have created a mandatory warrantless 


access regime for some kinds of metadata. In particular, both CSIS and Canadian police services 


'’ This was recently highlighted in the Office of the Privacy Commissioner of Canada, Special 
Report to Parliament: Checks and Controls: Reinforcing Privacy Protection and Oversight for 
the Canadian Intelligence Community in an Era of Cyber-Surveillance (28 January 2014). 


11 


could designate particular individuals who would be authorized to require any 
telecommunications service provider to provide them with identifying subscriber information. 
This included: 

Name, address, telephone number and electronic mail address of any subscriber to any of the 

service provider’s telecommunications services and the Internet protocol address and local 

service provider identifier that are associated with the subscriber’s service and equipment.'® 
At the time, critics were concerned that this effectively amounted to a mandatory identification 
regime, undermining internet anonymity.'” The federal government claimed, controversially, that 
such mandatory identification was required to fight crimes like child pornography.”° After a great 
deal of public controversy over the warrantless access regime, Bill C-30 was shelved. 

However, now that we have learned more details regarding some of the ways in which 

CSEC and the NSA have built tracking tools we can see how mandatory warrantless access to 
some forms of subscriber data could also enable the tracking of individuals. Bill C-30 did not 
place any kind of constraint on requiring access to this information, except in relation to who 
could require it.”' It is true that Bill C-30 would not have allowed CSEC to ask for subscriber 
information. However, part of CSEC’s mandate is to provide technical assistance to other 


Canadian authorities, including CSIS and the RCMP, who could get access to this data and who 


would face no legal impediment to setting up a regime of bulk access to this data. 


'§ Bill C-30, An Act to enact the Investigating and Preventing Criminal Electronic 

Communications Act and to amend the Criminal Code and other Acts, 1* Sess, 41" Parl, 2011- 

2012, s.16. 

'° Lisa M Austin and Andrea Slane, “What’s In a Name? Privacy and Citizenship in the 

Voluntary Disclosure of Subscriber Information in Online Child Exploitation Investigations” 

(2011) 57 Criminal Law Quarterly 487. 

°° “ic Toews accuses bill’s opponents of siding with child pornographers” The Star (13 

February 2012), online: The Star 

http://www.thestar.com/news/canada/2012/02/13/vic_toews_accuses_bills opponents of siding 
with child pornographers.html. 

*! Bill C-30, supra note 18. 


12 


As computer security expert Bruce Schneier recently wrote, “If the NSA has a database 
of IP addresses and locations, it can use that to locate users.””* We know from the recent CSEC 
disclosures that the ability to track individuals in real time through the use of various forms of 
metadata, including IP addresses, was known to the government at least as early as May 2012.”° 
Bill C-30 received first reading in February 2012 and was shelved amidst public protest in 
February 2013.”* Therefore it is perfectly conceivable that the federal government knew that Bill 
C-30 could enable the deployment, by either CSIS or the RCMP, with the assistance of CSSEC, 
of the kind of real-time tracking tools recently revealed. However, such capabilities were not part 
of the federal government’s public discussion of Bill C-30. 

In November 2013, the federal government reintroduced lawful access reform as part of 
its cyber bullying legislation. Bill C-13 does not include mandatory warrantless access to 
subscriber information. However, this does not mean that the issue has disappeared. Rather, it is 
currently being fought in the courts in relation to the question of voluntary, rather than 
mandatory, warrantless access to subscriber information.”’ There are a number of lower court 
decisions that suggest that it is permissible for the state to get warrantless access to some forms 
of subscriber information where this information is voluntarily provided by the service provider 


and where that service provider has a service agreement with its customer indicating that it might 


*° Bruce Schneier, “Finding People’s Locations Based on Their Activities in Cyberspace” 
(February 13, 2014) Blog Post, online: 
https://www.schneier.com/blog/archives/2014/02/finding peoples.html. 

*> This is the date of the slides. The slides are available online: 
http://www.cbce.ca/news2/pdf/airports_redacted.pdf. 

** Laura Payton, “Government killing online surveillance bill” CBC News (11 February 2013), 
online: CBC http://www.cbc.ca/news/politics/government-killing-online-surveillance-bill- 
1.1336384. 

°° See R v Spencer, 2011 SKCA 144, currently under appeal before the Supreme Court of 
Canada. 


13 


share this information with the state.”° The issue is currently before the Supreme Court of Canada 
and we are waiting for a decision in R v Spencer.”’ However, again it is important to note that 
the case was argued within a particular context — a specific criminal investigation into child 
pornography — where these broader implications for how the case might be interpreted to enable 
very different forms of surveillance were not at all part of the public discussion. 

Moreover, just as the warrantless access issue has moved from one of mandatory access 
to one of voluntary access, Bill C-13 makes the terms of voluntary access easier. It provides that 
where a person voluntarily shares information with authorities, so long as she “is not prohibited 
by law from disclosing” the information, no order is required and there is no criminal or civil 
liability for providing this information.”* The Canadian government has suggested that this is 
simply provides “greater certainty” to what is already the case, without providing information as 
to the contexts in which it seeks voluntary access.” 

At a recent conference on surveillance, former Chief of CSEC, John Forster, indicated in 
answer to a question from the audience that CSEC could access its metadata database for the 
purposes of carrying out its assistance mandate but that it would then be constrained by whatever 
legal requirements applied to the institution it was providing assistance to.*’ In other words, if 


CSEC was assisting the RCMP, then its assistance would be governed by the terms of the 


°° Some cases, like R v Ward, 2012 ONCA 660, suggest that the agreement is just one factor in 
the reasonable expectation of privacy analysis, rather than a decisive factor. 

°7 Supra note 25. 

°8 Bill C-13, An Act to amend the Criminal Code, the Canada Evidence Act, the Competition Act 
and the Mutual Legal Assistance in Criminal Matters Act, 2"! Sess, 41‘ Parl, 2013, s.20 (first 
reading 20 November 2013). This is the proposed new s.487.0195 of the Criminal Code. 

*® Department of Justice, Myths and Facts: Bill C-13, Protecting Canadians from Online Crime 
Act online: Department of Justice http://www.justice.gc.ca/eng/news-nouv/nr- 
cp/2013/doc_33002.html. 

*° The Electronic Surveillance State: Canada’s Position, Global Implications & The Question of 
Reform, The Canadian International Council, Toronto Branch, March 1, 2014. The question was 
mine. 


14 


RCMP’s warrant. For those concerned about the domestic implications of broad state 
surveillance capabilities, this means that the warrant requirements need to be scrutinized with 
this assistance in mind. Seen in this light, some of the reforms proposed in Bill C-13 are 
important. For example, Bill C-13 creates new production orders for “transmission data” as well 
as “tracking data” on a standard of reasonable suspicion.*! The government’s rationale is that this 
is analogous to what we already permit in relation to the use of tracking devices and number 
recorders.*” The thought is that since a reasonable suspicion standard was enough when we had 
to install devices on telephone land lines to determine the numbers phoned, it is enough now to 
unlock the metadata associated with modern communications. However, we cannot atrive at 
public understanding of these provisions unless we understand the full context of their use. 

What the Snowden revelations have shown us so clearly is that the issue is not about types of 
information but systems of information and methods of analysis. Creating a system of orders and 
warrants that presumes meaningful distinctions between subscriber information, transmission 
data, and content, is one that cannot provide the public with a clear understanding of what 
authorities can actually do and what the privacy implications are. The challenge here is quite 
serious, as it is not clear that our current constitutional jurisprudence provides us with 
appropriate legal tools. Our constitutional privacy jurisprudence focuses on types of information, 
and specifically whether the information meets the “biographical core” test for identifying a 
reasonable expectation of privacy. What we need are methods of oversight that help us focus on 


systems and methods. 


>! Bill C-13, supra note 28. These are the proposed new ss.487.015, 487.016, and 487.017 of the 
Criminal Code. 
*° Criminal Code, RSC 1985, c C-46, ss. 492.1 (tracking warrant) and 492.2 (number recorder). 


15 


(e) Jurisdiction and Borderless Communications 


When we consider questions of accountability and oversight, we most often do so within a 
national framework. Canadian commentators, for example, point to systems of oversight south of 
the border and argue that in comparison our own framework is inadequate and in need of 
reform.” The framing of the question is then how to ensure that Canadian surveillance activities 
occur within a framework of law, or that Canadians and persons within Canada receive the 
protection of the law. However, I argue that is also important to question the extent to which 
national jurisdiction remains a meaningful category in relation to questions of oversight. As I 
outline in this section, in the context of a global communications infrastructure, ideas of national 
law and status categories (like non-US person) are currently more likely to create the legal 
“loopholes” that enable broad surveillance than to create forms of accountability and oversight. 

Our increasingly borderless system of communication is one that follows the technical 
imperatives of the nature of information. It is widely agreed that the classic point of departure for 
information theory is Claude Shannon’s 1948 paper, “The Mathematical Theory of 
Communication,” which purported to provide a theory that would allow one to measure 
information and system capacity for storage and transmission of information.** As he so 
strikingly outlines in his introduction, the “semantic aspects” of communication—the meaning of 
messages—“are irrelevant to the engineering problem.” “Information,” on this model, is not 


something that is dependent on the context of disclosure or of receipt. One can see how, despite 


*? Weston, Greenwald and Gallagher, supra note 9. 

** Claude E Shannon, “The Mathematical Theory of Communication,” (1948) 27 (July) Bell 
System Technical Journal 379 and (1948) 27(October) Bell System Technical Journal 623. 
Reprinted in Shannon and Weaver, The Mathematical Theory of Communication (Urbana: 
University of Illinois Press, 1949) 3. 


16 


developments in information theory and practice in the intervening decades, this still captures an 
important aspect of information and communications technology (ICT). ICT easily shifts 
information from one context to another partly because what information is is seen to be 
independent of these contexts. This logic is further extended in the context of the so-called 
digital revolution in ICT, which has largely erased the differences between different mediums of 
transmission and led to an ever-greater proliferation of networking. 

The basic “logic” of information, therefore, is that it does not respect context. This is one of 
the reasons that ICT raises so many privacy concerns. Both privacy norms and justifications for 
the breach of privacy norms depend upon many contextual factors, yet ICT facilitate practices 
that render those contextual factors irrelevant.*° Disclosing information in a context and for a 
purpose different than the context and purpose for which it was initially collected is one 
example, taking information that is relatively innocuous in one context and aggregating it to 
create revealing profiles is another. Geographical borders are another “contextual” feature that 
ICT increasingly renders irrelevant in many practical details. With so many of our personal and 
professional activities mediated by the internet, many of us physically sit in one jurisdiction and 
at the same time talk, shop, write, and read in an entirely different jurisdiction. The rapid 
adoption of cloud computing has meant that we can now be in one jurisdiction but have what are 
essentially our own personal digital archives stored in another jurisdiction (or multiple 
jurisdictions). 

Several NSA surveillance programs exploit these features of modern communications 
technology, through leveraging the fact that much of the world’s internet traffic passes through 


the United States and that many of the most central players in cloud computing are US 


°° Lisa M Austin, “Privacy and the Question of Technology” (2003) 22 Law and Philosophy 119. 


17 


companies, giving it a “home-field advantage”.*° Although the NSA’s internet surveillance 


programs operated extra-legally in the aftermath of 9/11°” 


, they now operate within a legal 
infrastructure that allows them to take advantage of US dominance of the internet. Prior to 2008, 
US authorities could only conduct surveillance on non-US person targets outside of the US by 
showing reasonable and probable grounds that the target was a foreign power or an agent of a 
foreign power, and by obtaining an order from the Foreign Intelligence Surveillance Court 
(FISC).*® With the passage of the FISA Amendments Act (FAA) in 2008°°, FISC can approve 
surveillance of non-US persons outside of the US without individualized orders.*° These changes 
have provided the legal basis for NSA programs like PRISM, which involve obtaining 
communications data from internet companies like Microsoft and Google. 

From an American perspective, these legal changes remove obstacles to the timely 
acquisition of important intelligence information while not compromising US constitutional 


guarantees, since the US constitution is widely held to not apply to non-US persons abroad.” 


However, from the perspective of a non-US person this can enable state surveillance on 


°° Glenn Greenwald and Ewen MacAskill, “NSA Prism program taps in to user data of Apple, 
Google and others” The Guardian (7 June 2013), online: The Guardian 
http://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data. 

*7 James Risen and Eric Lichtblau, “Bush Lets U.S. Spy on Callers Without Courts” The New 
York Times (16 December 2005), online: The New York Times 
http://www.nytimes.com/2005/12/16/politics/16program.html?pagewanted=all. 

_ Foreign Intelligence Surveillance Act of 1978, Pub. L. No. 95-511, 92 Stat. 1783; US, Senate 
Committee on Intelligence, 1 12" Cong, Report on FAA Sunsets Extension Act of 2012, (S doc 
No 112-174) (Washington, DC: US Government Printing Office) at 16; A “United States person” 
is defined to include US citizens, permanent residents, unincorporated associations that include a 
substantial number of US citizens and permanent residents, and corporations incorporated in the 
US. See 50 USC § 1801 (i). 

39 FISA Amendments Act of 2008, Pub. L. no. 110-261, 122 Stat. 2463. 

ar Report on FAA Sunsets Extension Act, supra note 38 at 3. At the same time, the FAA increased 
the protections provided to US persons located outside of the United States, primarily through 
providing for judicial review. 

*' [bid at 16. 


18 


standards that fall below their own domestic statutory and constitutional guarantees. Consider 
Canada. A Canadian using Gmail, for example, has her email routed through the US and stored 
on US servers, making it vulnerable to collection under the FAA. Under s. 702, the Attorney 
General and the Director of National intelligence are permitted to jointly authorize the targeting 
of individuals located outside of the US “to acquire foreign intelligence information.” This is not 
an individualized warrant regime. FISC approves annual certifications for the collection of 
categories of foreign intelligence information and the AG and DNI can then determine which 
individuals to target, without any additional oversight.’” Foreign intelligence information 
includes information that “relates to” “the conduct of the foreign affairs of the United States.””* 
Such a broad definition can easily include things like political speech, for example; while there 
are protections in FAA for freedom of expression, these all apply to US persons only.”* There are 
also a variety of “minimization” provisions to reduce the privacy impact of authorized 
surveillance but these provisions also only apply to US persons. 

Canadians do not face a similar threat of surveillance from the Canadian state. For example, 
the National Defence Act does not allow CSEC to target Canadians, much less to do so on such 
lax standard. Canadians can be targeted by CSIS or the RCMP, and then CSEC can assist 


through its assistance mandate, but such targeting is then subject to both the warrant 


requirements that apply to these agencies as well as our Charter guarantees. Of course, CSEC 


*” President’s Review Group on Intelligence and Communications Technologies, Liberty and 
Security in a Changing World: Report and Recommendations of The President’s Review Group 
on Intelligence and Communications Technologies (12 December 2013) at 136. 

8 See 50 USC § 1801 (e). 

“* The President’s Review Group reports that s.702 is only used to intercept communications 
where the foreign intelligence information at issue is related “to such matters as international 
terrorism, nuclear proliferation, or hostile cyber activities” (supra note 42 at 152-3). However, 
the language of s. 702 and the definition of foreign intelligence information does not contain any 
such limitations. 


19 


has a controversial metadata program that has raised numerous questions regarding both its 
statutory authorization and its constitutionality. Nonetheless, what is important here is that, in 
relation to non-US persons, FAA permits access to content as well as metadata with fairly 
limited statutory restrictions and no constitutional restrictions at all. Canadians who use US- 
based cloud computing therefore are subject to US state surveillance on standards that, if applied 
within Canada, would be clear violations of our statutory and constitutional rights. 

Many have also claimed that these standards are clear violations of international human 
rights standards. This debate is ongoing, but the official position of the US government is that the 
protections of the International Convention on Civil and Political Rights only extend to 
individuals both within its territory and within its jurisdiction.” The split that cloud computing 
makes possible — that an individual would be outside its territory but her information subject to 
US jurisdiction — also creates a space where international human rights norms (arguably) do not 
apply. 

There has been pressure to amend US law in order to erase this distinction between US 
and non-US persons. The President’s Review panel offered one of the most serious attempts to 
justify some form of such a distinction. The justification they offer is not based upon the reach of 
the Fourth Amendment, but an understanding of democratic community. It is worth reproducing 
at some length: 

To understand the legal distinction between United States persons and non-United states 

persons, it is important to recognize that the special protections that FISA affords United 

States persons grew directly out of a distinct and troubling era in American history. In 


that era, the United States government improperly and sometimes unlawfully targeted 
American citizens for surveillance in a pervasive and dangerous effort to manipulate 


*° Charlie Savage, “U.S., Rebuffing U.N., Maintains Stance That Rights Treaty Does Not Apply 
Abroad” New York Times (13 March 2014), online: The New York Times 
http://www.nytimes.com/2014/03/14/world/us-affirms-stance-that-rights-treaty-doesnt-apply- 
abroad.html? r=0. 


20 


domestic political activity in a manner that threatened to undermine the core processes of 
American democracy. As we have seen, that concern was the driving force behind the 
enactment of FISA. 
Against that background, FISA’s especially strict limitations on government 
surveillance of United States persons reflects not only a respect for individual privacy, 
but also—and fundamentally—a deep concern about potential government abuse within 
our own political system. The special protections for United States persons must therefore 
be understood as a crucial safeguard of democratic accountability and effective self- 
governance within the American political system. In light of that history and those 
concerns, there is good reason for every nation to enact special restrictions on 
government surveillance of those persons who participate directly in its own system of 
self-governance.”° 
The justification for the distinction therefore remains rooted in ideas of the importance of 
national jurisdiction and traditional ideas of the significance of the state and its coercive powers. 
This just underscores the fundamental tension: we have a global communications network where 
increasingly borders do not matter, we have surveillance practices responding to this reality, and 
yet we seek to justify and hold surveillance powers to account through asserting that borders 
matter. Even the idea that concerns about abuse of state authority are restricted to the context of 
domestic political activity is difficult to accept when so many of us frequently cross borders for 
both personal and professional reasons. The Canadian example of Maher Arar is a stark reminder 
of this—Arar was apprehended by US authorities while in-transit in New York, and removed to 
Syria where he was tortured.*’ 

Apart from the issue of Canadians crossing the border and becoming directly subject to 
US jurisdiction, there is the issue of information sharing between the US and Canada, as well as 


with other allies. If US authorities can collect information about Canadians on lower standards 


than are permitted within Canada, and then share this information with Canadian authorities, 


“© President’s Review Group, supra note 44 at 153. 

“” Commission of Inquiry into the Actions of Canadian Officials in Relation to Maher Arar, 
Report of the Events Relating to Maher Arar, Analysis and Recommendations (Her Majesty the 
Queen in Right of Canada, represented by the Minister of Public Works and Government 
Services, 2006). 


21 


then this effectively creates an end-run around our constitutional guarantees even if it is, on some 
level, “lawful”. Although we do not know enough about Canadian practices to assess the 
seriousness of this worry, recent evidence suggests it is not that far-fetched. 

In a recent, and controversial, Federal Court decision, many important details came to 
light regarding the Canadian government’s understanding of information sharing practices 
between its allies.** The case concerned whether, when obtaining a warrant from the Federal 
Court, CSIS needed to disclose the fact that it would seek assistance from CSEC under CSEC’s 
assistance mandate, and that CSEC would task foreign allies with this assistance. Justice 
Mosley’s concern was not with the flow of information from foreign allies to Canadian 
authorities but the other way around—that asking for assistance means that the targets of 
surveillance could face an increased risk of detention or harm from those foreign allies.”” 

The issues are legally complex, and the case is under appeal. Here I merely want to 
underscore a number of important details that bear on the question of whether Canadian 
authorities can obtain information about Canadians that was collected under foreign domestic 
laws that violate our own constitutional standards. 

Partly at issue was a 2007 Federal Court decision that held that the Federal Court did not 
have the jurisdiction to issue a warrant for surveillance activities abroad.°° CSIS argued that in 
light of this decision, 

they turned to the general authority to investigate threats to the security of Canada set out in 


s.12 of the [CSIS] Act. They reached the conclusion, through the advice of their legal 
counsel, that a warrant was not required for CSIS to engage the assistance of the second 


48 In the matter of an application by[ | for a warrant pursuant to Sections 12 and 21 of 
the Canadian Security Intelligence Service Act, R.S.C. 1985, c. C-23; and the the matter of | ], 
2013 FC 1275 [hereinafter Mosely decision]. 

” Tbid at paras 115, 122. 

°° Reasons for Order and Order (October 22, 2007), Justice Blanchard; The public redacted 
version is: Re CSIS Act, 2008 FC 301). 


22 


parties through CSEC to intercept the private communications of Canadians outside the 
51 
country. 


It was also CSEC’s position was that no warrant was required for this foreign assistance, that 
only the domestic law of the foreign nation that would apply.’ Accordingly, “they could request 
that a foreign agency do within its jurisdiction that which CSIS and CSEC could not do in 
Canada without a warrant.”** Consistent with this, the Deputy Attorney General of Canada has 
taken the position that CSIS can ask CSEC to task foreign allies to conduct surveillance abroad 
so long as such surveillance is in accord with the foreign ally’s domestic legislation and does not 
raise serious human rights concerns.” 

This view partly rests on cases like R v Hape, which have held that when Canadian 
authorities conduct surveillance on Canadians in other countries the Charter does not apply.” 
However, there remains uncertainty as to whether Canadian authorities require some form of 
lawful authority to conduct surveillance abroad, including engaging the assistance of its allies, 
even if the Charter does not apply.*° There are also questions as to whether the broad powers 
legally argued for have actually been exercised.’ Nonetheless, it shows that there is a plausible 
legal interpretation that suggests the following asymmetry: there are circumstances where 
Canadian authorities can ask US authorities to intercept the communications of Canadians on 


standards that fall far below the level of rights protection afforded to Canadians under our own 


>! Mosely decision, supra note 48 at para. 94. 

** Ibid at para. 58. 

°° Ibid at para 60. 

** Ibid at para 34. 

°° [bid at para. 29; R v Hape, 2007 SCC 26. 

°° Ibid at para 30. 

*’ [bid at para 112: “I am satisfied that the Service and CSEC chose to act upon the new broad 
and untested interpretation of the scope of s 12 only where there was a 30-08 warrant in place”; 
The original 30-08 warrants under discussion were issued for surveillance within Canada on 
targets who were then travelling abroad, so additional warrants were then sought (at para 36). 


23 


domestic legislation and constitutional guarantees. In doing so, they would not be acting 
unlawfully, given the interpretation of the law just outlined. 

What these various examples underscore is that we cannot simply focus on domestic 
institutions and domestic laws if we are to bring surveillance practices within an effective regime 
of oversight and accountability. Some form of international treaties is likely required, with 
international oversight bodies. Early in the life-cycle of the Snowden revelations there was 
speculation about the existence of “no spy” agreements between members of the Five Eyes 
alliance”®, protecting the citizens of each country from spying from other members. Although 
there seem to be informal practices and conventions, the United States has publicly and 
emphatically denied any formal agreements.°” Whatever we might think about these relationships 
“based on decades of familiarity, transparency, and past performance between the relevant policy 
and intelligence communities”, these are not legal protections.®° They are secret, of uncertain 
scope, can be discarded in the interests of national sovereignty’, exist to protect the interests of 


the state and not the citizens of that state, and are in no way subject to independent oversight. 


(f) Conclusions 


It is clear that Canada needs to provide a better system of accountability and oversight for our 


national security agencies and activities. However, in doing so we need to stop thinking that the 


issue is illegal activity on the part of our national security agencies, such that the answer is to 


°§ The members are the US, Canada, UK, Australia, and New Zealand. 

»’ The President’s Review Group, supra note 44 at 175; Jennifer Epstein, “U.S. doesn’t have ‘no- 
spy’ agreement with foreign countries, Obama says” Politico (11 February 2014), online: 
Politico http://www.politico.com/story/2014/02/nsa-spying-foreign-countries-103382.html. 

°° The President’s Review Group, ibid at 175. 

°' Mosley deicison, supra note 48 at para. 17. 


24 


create a system where we can ensure that they follow the law. Instead, I have argued that we 
need to start from the proposition that our national security agencies do, in good faith, 
understand themselves to be acting within the law. If we do that, then we can start to appreciate 
that the relationship between the surveillance state and the rule of law is much more complex, 
and the possibility of reform more challenging, than is sometimes clear from reactions to the 
Snowden disclosures. If we look closely we will see that surveillance does indeed operate 


according to a legal infrastructure. The problem is that infrastructure is one of lawful illegality. 


25 


